2011/6/15 Nico Williams <nico@cryptonector.com>:
>> * a method that hands over a password (or a password-equivalent)
>> * a method whose UI can be imitated by malicious sites.
> The protocol and UI are not that closely related. Â I can't think of
> any method that satisfies the first requirement that couldn't have a
> secure UI.
How about a simple form-field extension which
encrypts some password with timed challenges?
OK, but your point suggests the following rephrasing:
* a UI which can be imitated by malicious sites.
Although they are not closely related, but we cannot completely
ignore the UI issues . I think that protocol designs
should, in some extent, consider how such UI is to be provided
(especially when and how they are kicked in). How about it?